“Phishing” and “Pharming” Advice for consumers

Published on: 20 September 2006

This notice is issued by the Financial Supervision Commission (“the Commission”) in accordance with the powers conferred upon it under Section 22 of the Financial Supervision Act 1988.

These terms relate to a relatively recent type of fraud which is rapidly rising in scale. The fraud makes use of the internet and emails to lure victims into divulging personal financial details to the fraudsters, allowing the fraudsters to steal the victim’s identity and attack their bank accounts and other financial holdings.

What is “Phishing”?

In this version of the fraud the victim receives an email purporting to be from their bank or other financial institution. The email will give some explanation for the victim needing to access the website of the relevant bank or financial institution to confirm their details. The email will usually contain a link to the purported website of the relevant institution.

When the victim clicks on the link they will actually be directed to a fake website which has been copied or “spoofed” to look like that of the genuine institution. The web address of the site will often closely resemble that of the genuine institution or will be masked to give that appearance. Often the link itself will look, in the email, identical to that of the genuine institution but will, in fact, have a hidden link embedded within it, linking to the fraudulent site.

Once the victim is at the fraudulent website they will be asked to complete various details under the pretext of fulfilling a “security check” or of “updating their details”. By completing the requested details the victim is encouraged to divulge financial information such as account numbers, credit card details, user names, passwords and personal information such as dates of birth, social security numbers and memorable information (mothers maiden name etc.)

The data collected by the fraudsters can then be used to:

a) Fraudulently access funds in the victim’s account(s); and/or

b) Steal the victim’s “identity” and open new accounts or apply for credit in the victim’s name. (The Commission has previously issued advice in relation to identity theft.

What is “Pharming”?

This term refers to a more advanced development of the rather more simplistic phishing technique referred to above.

In this development of the fraud, rather than relying on the victim to actively click on a link to the fraudsters’ “spoofed” website, the fraudsters use computer programming methods to divert the victim from the genuine website of their bank or financial institution website to the one prepared by the fraudsters. They do this by interfering with the hidden systems which convert the “text based” web address of the bank or institution into a numerical IP address. The method can be likened to altering the telephone number in a telephone directory. Whenever you try to access a web address (eg. www.fsc.gov.im) your web browser must look up the numeric IP address of this web address. The internet then uses the numerical IP address to navigate to the correct location. By altering the numerical IP address that is looked up, the fraudster can entrap the victim without the victim being aware or suspicious that they have not connected to the genuine website that they intended to.

Once the unwitting victim has reached the fraudsters’ “spoofed” website the fraud proceeds in the same way as that described in the above section on “phishing”.

There are telltale signs that you may be the subject of a “pharming” attack. When you connect to the genuine secure pages of your bank website you should see a locked padlock or unbroken key symbol in the bottom right corner of your browser window. The beginning of your bank web address in the browser should change from http to https. If these do not appear you are not on a secure site. You should refrain from entering any information and should contact your bank, using a known genuine telephone number for advice.

What can I do to avoid falling victim to these frauds?

• Keep passwords and PINs safe - Always be suspicious of any unsolicited emails or calls asking you to disclose any personal details or card numbers. This information is secret. Keep it that way. Be wary of disclosing any personal information to someone you don't know. Your bank and the police would never contact you to ask you to disclose PINs or all your password information.

• Know who you are dealing with - Always access Internet banking by typing the bank's address into your web browser. Never go to a website from a link in an email and enter personal details. If you are in any doubt, contact the bank separately on a telephone number that you know to be genuine.

• Keep your PC secure - Use up-to-date anti-virus software and a personal firewall. If your computer uses the Microsoft Windows operating system, keep it updated from the Microsoft website. Be especially careful when using Internet cafes or any PC which is not your own and over which you have no control.

• Check your bank's website - Your bank will probably have advice on its website about how to stay safe online. Check it regularly for specific information and guidance on protecting yourself and your PC when online.

• Always learn your bank password and other security information - Destroy the notice advising you of it as soon as you receive it.

• Never write down or record your bank password or other security information unless it is well disguised.

• Always take reasonable steps to keep your bank password and other security information secret at all times - Never reveal it to anyone else.

• If you change your bank password, choose one which cannot easily be guessed.

• Never give your account details or security information to anyone - If phoning the bank, be aware of what information they will ask you: you will not normally be asked for your password in full.

• Make sure that you always follow your bank's terms and conditions.

• Do not use the same password that you use for online banking at any non-banking sites

• Ensure that there is a locked padlock or unbroken key in the bottom right of your browser window before accessing the bank site. The beginning of the bank's Internet address will change from 'http' to 'https' when a secure connection is made.

• Never leave your computer unattended when logged in to Internet banking.

• Ensure that you log-out properly when you have finished banking online.

And finally

• Always Check your bank statement - If you notice anything irregular on your account contact your bank immediately.

If you have concerns or wish to know more about about this kind of fraud you can find more detailed information on the following websites:

The Anti Phishing Working Group

Banksafe Online

Public Warning ref: JPM/45/2006